CVE-2020-13959

The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.

CVSS v3.0 6.1 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.1^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://lists.apache.org/thread.html/r6802a38c3041059e763a1aadd7b37fe95de75408144b5805e29b84e3%40%3Cuser.velocity.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/rb042f3b0090e419cc9f5a3d32cf0baff283ccd6fcb1caea61915d6b6@%3Ccommits.velocity.apache.org%3E	Mailing List Patch Vendor Advisory
https://lists.apache.org/thread.html/r6802a38c3041059e763a1aadd7b37fe95de75408144b5805e29b84e3@%3Cuser.velocity.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/rf9868c564cff7adfd5283563f2309b93b3e496354a211a57503b2f72@%3Cannounce.apache.org%3E	Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2021/03/10/2	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00021.html	Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r97edad0655770342d2d36620fb1de50b142fcd6c4f5c53dd72ca41d7@%3Cuser.velocity.apache.org%3E	Mailing List Vendor Advisory
https://security.gentoo.org/glsa/202107-52	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:velocity_tools:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Information

Published : 2021-03-10 00:15

Updated : 2022-04-22 11:54

NVD link : CVE-2020-13959

Mitre link : CVE-2020-13959

JSON object : View

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Products Affected

debian

debian_linux

apache

velocity_tools

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://lists.apache.org/thread.html/r6802a38c3041059e763a1aadd7b37fe95de75408144b5805e29b84e3%40%3Cuser.velocity.apache.org%3E", "name": "N/A", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "https://lists.apache.org/thread.html/rb042f3b0090e419cc9f5a3d32cf0baff283ccd6fcb1caea61915d6b6@%3Ccommits.velocity.apache.org%3E", "name": "[velocity-commits] 20210310 [velocity-site] 01/01: CVE announcement", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r6802a38c3041059e763a1aadd7b37fe95de75408144b5805e29b84e3@%3Cuser.velocity.apache.org%3E", "name": "[velocity-user] 20210310 CVE-2020-13959: Velocity Tools XSS Vulnerability", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/rf9868c564cff7adfd5283563f2309b93b3e496354a211a57503b2f72@%3Cannounce.apache.org%3E", "name": "[announce] 20210310 CVE-2020-13959: Velocity Tools XSS Vulnerability", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "http://www.openwall.com/lists/oss-security/2021/03/10/2", "name": "[oss-security] 20210309 CVE-2020-13959: Velocity Tools XSS Vulnerability", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "MLIST"}, {"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00021.html", "name": "[debian-lts-announce] 20210317 [SECURITY] [DLA 2597-1] velocity-tools security update", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r97edad0655770342d2d36620fb1de50b142fcd6c4f5c53dd72ca41d7@%3Cuser.velocity.apache.org%3E", "name": "[velocity-user] 20210318 Re: CVE-2020-13959: Velocity Tools XSS Vulnerability", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://security.gentoo.org/glsa/202107-52", "name": "GLSA-202107-52", "tags": ["Third Party Advisory"], "refsource": "GENTOO"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-79"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2020-13959", "ASSIGNER": "security@apache.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "severity": "MEDIUM", "acInsufInfo": false, "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "baseMetricV3": {"cvssV3": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}}, "publishedDate": "2021-03-10T08:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:apache:velocity_tools:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "3.1"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-04-22T18:54Z"}

6.1 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2020-13959

6.1^/10

4.3^/10

Attach tags to `CVE-2020-13959`